Network Forensics Appliance Buying Guide

According to Gartner, organizations spent $145 million on network forensics last year, driven by the need to not just stop cyber criminals, but to learn when and where they succeeded. In this era of advanced persistent threats and laser-focused phishing, IPS and SIEM defenses are more essential than ever but still insufficient. When traditional defenses are inevitably breached, is your organization ready to react?

Network Forensics Appliances narrow this gap by delivering situational awareness and incident preparedness. Like a network DVR, these passive systems record and catalog every single bit that enters or exits a link. By delivering speedy-but-exhaustive full-packet replay, analysis and visualization, Network Forensics Appliances support cybercrime investigation, evidence gathering, impact assessment and clean-up.

In this buyer's guide, we examine the capabilities and features offered by Network Forensics Appliances. Although the specific needs of each organization differ, we look at questions that every buyer should ask when choosing advanced network infrastructure to enable forensic analysis.

Why network forensics?

During and after a suspicious event, digital forensics may be used to gather and examine evidence, providing insight into precisely what happened: where an incident originated, which systems may have been touched, what data may have been extracted and so on. In the wake of a costly breach, forensics experts may be called in, bringing both computer and network forensic tools with them. Gartner estimates that 70 percent of enterprises rely on third-party services to handle infrequent incidents that require forensic expertise.

But even experts are limited by available data. Sifting through firewall and IPS and server logs can take investigators only so far. By definition, some traffic associated with each breach slipped through those defenses. Without a comprehensive record of network activity, it is hard to determine the true duration of a break-in or the extent of its damage. Even when forensic programs were installed on servers to log all system activity, some traffic sent by hacked or unmanaged devices is likely to have escaped detection.

Organizations that are risk-averse or frequent targets of high-stakes cybercrime – such as financial services – are most likely to invest in Network Forensics Appliances. Just as a storefront that is often robbed or can't afford theft might install surveillance cameras, organizations that require complete cyber threat visibility can install Network Forensics Appliances. In fact, market analysts expect recent escalation in attack frequency and impact to stimulate Network Forensics Appliance sales.

How the game is changing

Network Forensics Appliances have been around for a decade, deployed largely by high-security facilities (e.g., government). But changes to the threat landscape and products are now combining to spur enterprise interest and investment.

According to Nemertes Research, point-products are no long sufficient to protect today's perimeter-less, virtualized, distributed, multi-application and multi-device environment. "As the economy has shifted online, the primary motive of attackers has changed from seeking to showcase technical skills to economic gain with theft of identities and intellectual property," wrote analyst Johna Til Johnson. "Security technology is improving at an evolutionary pace, while threats are increasing at a revolutionary pace."

As a result, Nemertes advises security teams to pursue more comprehensive threat protection: "Comprehensive in both scope (type and variety) and in time (starting even before a threat has been detected," wrote Johnson. "Network forensics tools provide a natural starting point for this comprehensive functionality, as they serve to tie together data from all these products."

Network forensics tools that have expanded beyond their capture-and-store roots by integrating near-real-time capabilities have grown more powerful. "Merely analyzing packets doesn't convey effective insight into an attacker's strategy. The ultimate goal is to provide a comprehensive solution that paints the full source and scope of an attack, outlines prevention techniques and automates prevention in real time," she wrote.

Finally, technology improvements must be accompanied by human evolution. "It's no longer sufficient for a security team to provide [breach details] to colleagues and senior management," concluded Johnson. "The team must be prepared to translate the impact into business terms and risks." To this end, Network Forensics Appliances now often support applications designed to rapidly deliver actionable insight to HR, law enforcement, compliance officers and other users in addition to forensic experts.

Finding an appliance that fits

Organizations interested in network forensics should begin with expected use cases. Gartner sees four primary uses among its clients:

Post-incident analysis – After a suspicious event, packets recorded by a Network Forensics Appliances can be used to perform detailed analysis, correlation, signature-based classification and behavior inspection to isolate zero-day attacks. This is the traditional and most common reason to buy Network Forensics Appliances, and can include looking to see whether a recently-patched bug was previously exploited.

On-demand investigation – In response to HR or legal requests, the same historical packet database can be used to extract, filter, visualize, and report upon all activities initiated by a user or system – for example, to investigate suspected insider abuse. This use is less common but growing along with Network Forensics speed and usability.

Compliance – During an audit, staff responsible for ensuring or proving regulatory compliance can use the Network Forensics database as a resource to spot network segmentation or data leaks and determine when and where they started. This is being driven by regulations like PCI, taking advantage of products that can quickly reconstruct and filter documents and messages.

Situational Awareness – Organizations that place a premium on real-time threat awareness can use Network Forensics to complement proactive in-line defenses by delivering deeper and more complete detail behind an IPS or SIEM alert. This historically limited use is now being expanded by improved security systems integration.

Determining which use-cases are important to your organization can help justify acquisition and prioritize requirements. An organization focused on incident analysis may care little about canned compliance reports, while one driven by situational awareness may demand integration with specific SIEM. And so on.

Creating a requirements checklist

Given benefits you expect a Network Forensics Appliance to bring to your organization, it's time to identify required capabilities and features.

Full-packet capture: Network Forensics Appliances are passive devices, designed to connect to a span port or tap on network segment(s) with good visibility. As such, they won't slow your network down – but they must still keep pace with highly-utilized links. Select an appliance/model with network interfaces, RAM, and CPU sufficient to handle your network's peak throughput.

Packet storage and indexing: Network Forensics Appliances not only store terabytes of traffic, but index it for rapid retrieval and analysis. This is done by generating metadata, stored with packets, so applications can quickly filter and pivot on values like source/destination IP/port, URL and user. Match storage capacity to average throughput and desired look-back period. If growth is likely, consider external storage support.

Portability and scalability: Most Network Forensics Appliances are dedicated devices, optimized to receive and store large packet volumes at very high rates. But some vendors also sell portable or VM appliances to be used by on-site investigators. Conversely, some vendors offer options needed by large or distributed deployments, such as management consoles to administer and extract data from multiple appliances.

Session reassembly and replay: Network Forensics Appliances do the heavy lifting, but it is their applications make that data valuable by presenting actionable insight to users. Case in point: Although products may display individual packets (directly or by launching a LAN analyzer), they must also decode packets, reassemble them into sessions, fingerprint applications and correlate flows. Look at how quickly this occurs and how easy results are to use.

Artifact reconstruction and visualization: Another capability associated with Network Forensics applications is artifact reconstruction – identifying and displaying files, documents, email messages, text messages, images and videos, media streams and voice calls, etc. Consider whether the product presents important artifacts in a usable way – for example, can you search for or highlight sensitive data elements, browse images, or

Forensic analysis tools: Network Forensics applications must balance information breadth and depth against speed of delivery. But when deep digging is called for, analysis tools must enable efficient filtering and pivoting through captured traffic. Advanced features include support for threat signatures (published and custom) and third-party interfaces that make it easy for admins to click-and-drill from an external alert into Network Forensics.

Network forensics appliances vendors

These are just some of the many features and capabilities currently found in Network Forensics Appliances. Vendors in this market include AccessData, Narus, NetScout, Network Instruments, NIKSUN, Solera Networks, RSA and WildPackets. To more fully illustrate this category over the coming weeks, EnterpriseNetworkingPlanet will profile Solera Networks' DS Appliances, RSA's NetWitness, and NIKSUN's NetDetector.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.